Legal claims defining the scope of protection. Each claim is shown in both the original legal language and a plain English translation.
1. A computer-implemented method for facilitating user access to a standalone computing device, the method comprising: receiving, by the standalone computing device from a mobile computing device associated with a user, a first command to access capabilities of the standalone computing device, wherein the first command includes an ephemeral user identifier, wherein the ephemeral user identifier includes an ephemeral key and user-specific metadata, wherein the ephemeral key is unique to and generated for the first command by a network service which is not directly accessible by the standalone computing device, wherein the user-specific metadata is previously registered by the user and stored by the network service, and wherein the ephemeral user identifier is digitally signed with a private key of the network service; verifying, by the standalone computing device using a public key of the network service, that the digitally signed ephemeral user identifier was generated by the network service; and causing the user access to the standalone computing device by executing, by the standalone computing device, the first command based on the user-specific metadata by accessing the capabilities of the standalone computing device.
2. The method of claim 1 , further comprising: transmitting, by the standalone computing device to the mobile computing device, a notification indicating a successful execution of the first command, wherein the mobile computing device transmits the notification to the network service, which causes the network service to update an entry in a data structure, and wherein the entry corresponds to the user-specific metadata.
3. The method of claim 1 , further comprising: pairing, by the standalone computing device, with the mobile computing device wirelessly based on one or more of: WiFi-Direct; Bluetooth; Near Field Communication (NFC); a wireless protocol; and a wireless protocol which does not involve a wireless access point or a wireless router.
4. The method of claim 1 , wherein the digitally signed ephemeral user identifier is received by the mobile computing device prior to the standalone computing device receiving the first command, and wherein prior to the user receiving the digitally signed ephemeral user identifier, the user is authenticated by the network service based on or more of: an application on the mobile computing device; a website; a form of biometric recognition via a component of the mobile computing device; and a password of the user to access the application or the website.
5. The method of claim 1 , wherein the ephemeral user identifier is transmitted via a network from the network service to the mobile computing device, wherein the ephemeral user identifier is further verified by the mobile computing device using the public key of the network service prior to transmitting the first command to the standalone computing device, wherein the first command is transmitted by the mobile computing device to the standalone computing device, and wherein the user-specific metadata is stored by the network service, which allows the standalone computing device to verify that the mobile computing device is associated with a user which has been previously authorized by the network service.
6. The method of claim 1 , wherein the ephemeral user identifier is hidden from the mobile computing device based on an encryption of the ephemeral user identifier and a message authentication code, wherein the encryption is performed using a session key derived based on a secure cryptographic handshake protocol between the standalone computing device and the network service, and wherein the secure cryptographic handshake protocol utilizes the mobile computing device as an untrusted relay.
7. The method of claim 1 , wherein the network service comprises a cloud-based server, and wherein the standalone computing device is not connected to the cloud-based server via any networks or any wireless access points.
This invention relates to a method for operating a standalone computing device that interacts with a cloud-based server without requiring a network or wireless connection. The standalone computing device performs tasks that would typically rely on cloud-based processing but does so independently, eliminating the need for continuous connectivity. The method involves executing a pre-loaded application on the standalone device, where the application includes all necessary data and processing logic to function without external network access. The cloud-based server, which would normally handle certain computations or data storage, is bypassed entirely during operation. This approach ensures functionality in environments where network access is restricted or unavailable, such as in secure facilities, remote locations, or during travel. The standalone device may periodically synchronize with the cloud-based server when connectivity is restored, updating any necessary data or configurations. The invention addresses the problem of dependency on cloud services for critical operations, providing a solution that maintains functionality in offline scenarios while still leveraging cloud infrastructure when possible. The method ensures data consistency and operational continuity by handling tasks locally when offline and synchronizing with the cloud when online.
8. The method of claim 1 , wherein prior to the network service transmitting the digitally signed ephemeral user identifier to the mobile computing device, the method further comprises establishing a first secure connection based on a Transport Layer Security protocol between the mobile computing device and the network service; and wherein prior to the standalone computing device receiving the first command, the method further comprises establishing a second secure connection based on the Transport Layer Security protocol between the mobile computing device and the standalone computing device.
9. The method of claim 1 , wherein the standalone computing device is one or more of: a multifunction printer; an Internet of Things (IoT)-capable device; and a robot.
10. A computer system for facilitating user access to a standalone computing device, the computer system comprising: a processor; and a storage device storing instructions that when executed by the processor cause the processor to perform a method, the method comprising: receiving, by the standalone computing device from a mobile computing device associated with a user, a first command to access capabilities of the standalone computing device, wherein the first command includes an ephemeral user identifier, wherein the ephemeral user identifier includes an ephemeral key and user-specific metadata, wherein the ephemeral key is unique to and generated for the first command by a network service which is not directly accessible by the standalone computing device, wherein the user-specific metadata is previously registered by the user and stored by the network service, and wherein the ephemeral user identifier is digitally signed with a private key of the network service; verifying, by the standalone computing device using a public key of the network service, that the digitally signed ephemeral user identifier was generated by the network service; and causing the user access to the standalone computing device by executing, by the standalone computing device, the first command based on the user-specific metadata by accessing the capabilities of the standalone computing device.
11. The computer system of claim 10 , further comprising: transmitting, by the standalone computing device to the mobile computing device, a notification indicating a successful execution of the first command, wherein the mobile computing device transmits the notification to the network service, which causes the network service to update an entry in a data structure, and wherein the entry corresponds to the user-specific metadata.
12. The computer system of claim 10 , wherein the method further comprises: pairing, by the standalone computing device, with the mobile computing device wirelessly based on one or more of: WiFi-Direct; Bluetooth; Near Field Communication (NFC); a wireless protocol; and a wireless protocol which does not involve a wireless access point or a wireless router.
A computer system includes a standalone computing device and a mobile computing device that communicate wirelessly. The system addresses the problem of establishing a direct wireless connection between devices without relying on intermediate infrastructure like wireless access points or routers. The standalone computing device pairs with the mobile computing device using one or more wireless protocols, including WiFi-Direct, Bluetooth, Near Field Communication (NFC), or other wireless protocols that do not require a central access point or router. This enables seamless, infrastructure-free communication between the devices, allowing for data transfer, synchronization, or control functions without the need for a network intermediary. The pairing process may involve authentication or handshake procedures to ensure secure and reliable connectivity. The system is particularly useful in scenarios where network infrastructure is unavailable or where direct device-to-device communication is preferred for efficiency or privacy reasons. The wireless protocols support various use cases, such as file sharing, remote control, or collaborative applications, by enabling low-latency, high-bandwidth communication between the devices.
13. The computer system of claim 10 , wherein the digitally signed ephemeral user identifier is received by the mobile computing device prior to the standalone computing device receiving the first command, and wherein prior to the user receiving the digitally signed ephemeral user identifier, the user is authenticated by the network service based on or more of: an application on the mobile computing device; a website; a form of biometric recognition via a component of the mobile computing device; and a password of the user to access the application or the website.
This invention relates to secure authentication systems involving mobile and standalone computing devices. The problem addressed is ensuring secure and authenticated interactions between a user, a mobile device, and a standalone device, such as a kiosk or terminal, without requiring persistent user identifiers that could be compromised. The system includes a network service that authenticates a user through a mobile computing device before generating a digitally signed ephemeral user identifier. Authentication methods include biometric recognition, passwords, or verification via an application or website on the mobile device. This identifier is then transmitted to the mobile device before the standalone device receives a command to interact with the user. The standalone device verifies the identifier's authenticity using the network service's digital signature, ensuring secure access without storing long-term user credentials. The ephemeral nature of the identifier enhances security by limiting its validity, reducing the risk of unauthorized access. The system ensures seamless and secure interactions between the user, mobile device, and standalone device while maintaining privacy and minimizing exposure of sensitive authentication data.
14. The computer system of claim 10 , wherein the ephemeral user identifier is transmitted via a network from the network service to the mobile computing device, wherein the ephemeral user identifier is further verified by the mobile computing device using the public key of the network service prior to transmitting the first command to the standalone computing device, wherein the first command is transmitted by the mobile computing device to the standalone computing device, and wherein the user-specific metadata is stored by the network service, which allows the standalone computing device to verify that the mobile computing device is associated with a user which has been previously authorized by the network service.
15. The computer system of claim 10 , wherein the ephemeral user identifier is hidden from the mobile computing device based on an encryption of the ephemeral user identifier and a message authentication code, wherein the encryption is performed using a session key derived based on a secure cryptographic handshake protocol between the standalone computing device and the network service, and wherein the secure cryptographic handshake protocol utilizes the mobile computing device as an untrusted relay.
16. The computer system of claim 10 , wherein the network service comprises a cloud-based server, and wherein the standalone computing device is not connected to the cloud-based server via any networks or any wireless access points.
17. The computer system of claim 10 , wherein prior to the network service transmitting the digitally signed ephemeral user identifier to the mobile computing device, the method further comprises establishing a first secure connection based on a Transport Layer Security protocol between the mobile computing device and the network service; and wherein prior to the standalone computing device receiving the first command, the method further comprises establishing a second secure connection based on the Transport Layer Security protocol between the mobile computing device and the standalone computing device.
18. The computer system of claim 10 , wherein the standalone computing device is one or more of: a multifunction printer; an Internet of Things (IoT)-capable device; and a robot.
19. An apparatus for facilitating user access to a standalone computing device, the apparatus comprising: a communication module configured to receive, by the standalone computing device from a mobile computing device associated with a user, a first command to access capabilities of the standalone computing device, wherein the first command includes an ephemeral user identifier, wherein the ephemeral user identifier includes an ephemeral key and user-specific metadata, wherein the ephemeral key is unique to and generated for the first command by a network service which is not directly accessible by the standalone computing device, wherein the user-specific metadata is previously registered by the user and stored by the network service, and wherein the ephemeral user identifier is digitally signed with a private key of the network service; a verification module configured to verify, by the standalone computing device using a public key of the network service, that the digitally signed ephemeral user identifier was generated by the network service; and a command-executing module configured to cause user access to the standalone computing device by executing, by the standalone computing device, the first command based on the user-specific metadata by accessing the capabilities of the standalone computing device.
20. The apparatus of claim 19 , wherein the ephemeral user identifier is transmitted via a network from the network service to the mobile computing device, wherein the ephemeral user identifier is further verified by the mobile computing device using the public key of the network service prior to transmitting the first command to the standalone computing device, wherein the first command is transmitted by the mobile computing device to the standalone computing device, and wherein the user-specific metadata is stored by the network service, which allows the standalone computing device to verify that the mobile computing device is associated with a user which has been previously authorized by the network service.
Unknown
March 30, 2021
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.